The author is a Forbes contributor. The opinions expressed are those of the writer.

Loading ...

Loading ...

This story appears in the {{article.article.magazine.pretty_date}} issue of {{article.article.magazine.pubName}}. Subscribe

Another day, another Internet security crisis. This time it's a problem with the encryption protocol that many Internet sites use to protect their data. Yet again, users for whom the basics of Internet security are as obscure as the functioning of car engines are being told there are lots of "site lemons" out there and that they need to be careful.

For those who want the nitty-gritty on what the Heartbleed bug is and what went wrong with the "code library" it snuck into, read Rusty Foster in the New Yorker. As for whether it affects you and the sites you use, check out this tool from password service LastPass. (Yes, Netflix and HBOGo, for example, were vulnerable to the Heartbleed bug, meaning someone may have been able to ping those websites for people's usernames and passwords, and you should change your credentials there when their sites are fixed.)

It will be fixed, just like GoToFail encryption bug was fixed, and this will blow over, and people will change their passwords, and everything will be fine.... unless, as Bruce Schneier points out, the flaw is in an embedded system that can't be updated. Regardless, something like this will happen again. The bigger problem illuminated by this latest security crisis was spelled out in a report from the Wall Street Journal's Danny Yadron. The OpenSSL code library on which so many companies rely for their Web security only has one dude working on the project full-time.

OpenSSL is managed by four core European programmers, only one of whom counts it as his full-time job.

And it is strapped for cash:

Writing encryption code is complex, so many website operators tap OpenSSL, which is free. It was created in the late 1990s by developers who wanted an easy-to-use encryption scheme for Internet traffic. Its website is bare bones, as are its finances. Steve Marquess, president of the OpenSSL Software Foundation, a separate entity that solicits funding for the team that manages the code, said its 2013 budget was less than $1 million.

That's despite the fact that up to two-thirds of the Web relies on it. The German developer responsible for Heartbleed, Robin Seggelman, who introduced the coding version of a typo, did so an hour from New Year's Eve in 2011, according to reports. It's hard to be mad at a guy so devoted to a project that he was doing bug fixes on a holiday. Because it is an open-source project, anyone can review it, and the hope -- one deeply rooted in the philosophy of the Internet age -- is that through crowd-sourcing, mistakes will be inevitably be caught and scourged.

But it wasn't spotted until two years later by security engineer Neel Mehta, who is not talking to the press, according to a Google spokesperson, who would only provide a statement from Google. "The security of our users' information is a top priority," she writes. "We fixed this bug early and Google users do not need to change their passwords."

But what about the larger problem? Internet users big and small, from billion-dollar corporations like Google and to little non-profits offering secure websites, rely on a volunteer project to provide the skeleton for their security, with no formal requirements that they contribute to it.

“Heartbleed is further evidence that we don’t have our house in order when it comes to Internet security,” Princeton computer security expert Edward Felten tells Farjad Manjoo in the New York Times. He went on to compare the "culture of software development” with that of the "safety culture that is common in fields such as aviation" and finds the former lacking. That makes sense in a way: the Internet doesn't usually kill you when it fails, but it can certainly be expensive for companies and troublesome for Internet users when something like Heartbleed happens.

So what's the solution? Obviously, those tending to the security protocols that support the rest of the Web need better infrastructure and more funding. "Large portions of the software infrastructure of the Internet are built and maintained by volunteers, who get little reward when their code works well but are blamed, and sometimes savagely derided, when it fails," writes Foster in the New Yorker.

He sees some change thanks to venture capital funding in open source code-infrastructure projects, like GitHub and the Node Package Manager. "But money and support still tend to flow to the newest and sexiest projects, while boring but essential elements like OpenSSL limp along as volunteer efforts," he writes. "It’s easy to take open-source software for granted, and to forget that the Internet we use every day depends in part on the freely donated work of thousands of programmers."

We need to find ways to pay for work that is currently essentially donated freely. One promising project is Bithub, from Whisper Systems, where people who make valuable contributions to open source projects are rewarded (with Bitcoin of course). But the pool of Bitcoin is still donation based. The Internet has helped create a culture of free, but what we may need to recognize is that we get what we pay for. Well-funded companies pulling critical code from open source projects for their sites should have formal fee arrangements, rather than the volunteer group simply hoping these users will pony up some Benjamins for "prominent logo placement" on a website most people had never heard of before Heartbleed.

"The largest contribution that we've ever received that could be considered a no-strings donation (rather than payment for specific contractual deliverables) was $10K several years ago," says Steve Marquess of the OpenSSL Foundation, the non-profit that manages funds for the group.